As more organisations provide APIs (application programming interfaces) to encourage third-party developers to create new and interesting apps using their data, the issue of API security naturally comes to mind.
After all, APIs offer pathways to an organisation’s data assets that could be compromised if necessary safeguards are not in place. Making things worse is the fact that APIs are – as their names suggest – are programmable, which means hackers can program them to get to the data they want.
Indeed, earlier this year, hackers had stolen the social security numbers, birth dates and addresses of 100,000 US taxpayers, using the US Inland Revenue Service’s GetTranscript API.
“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS said recently.
One of the ways in which organisations can minimise the security risks posed by APIs is to use an API management platform such as Mashery, an Intel company that takes care of API security and makes APIs available to developers.
“It safer to expose data to a platform like ours that lets you turn on access during a hackathon, limit the number of people who can access the data, and turn off access when they’re done,” said Jason Cormier, API strategy and product evangelist at Intel Australia.
However, that does not mean API management platforms like Mashery take security lightly. As a cloud-based service, Mashery has its fair share of cyber attacks each day.
“We encounter security problems like everybody else, but we haven’t had any data breach or a successful attack that brought us down,” said Boaz Maor, vice president for customer success at Mashery, adding that the company employs a security operations team that works round the clock.
Additionally, Mashery has implemented measures to bring its service back online in the event of a security incident or downtime. For example, while the service is hosted on Amazon Web Services, Mashery also runs a parallel private network that serves as a backup.
Cormier advised companies that are concerned with security to not dismiss APIs entirely as some developers may use their data in mutually beneficial way.
He cited the example of Yellow Pages – a Mashery customer – that had problems with users screen-scraping data from its site to create useful third-party apps.
“They were tired of this, and decided to give people a legal channel from which data could be accessed easily,” Cormier said. “And by doing so, they were able to see what people were doing with the data, and suddenly they were more secure and had more control over their data than before.”
According to technology research firm Gartner, the API management market was worth about US$618 million in 2014.
There are a few other aspects of improved security in API Management solutions like Mashery or WSO2 API Cloud (http://wso2.com/cloud/api-cloud – disclosure: I work there):
1. Analytics integrated with the API gateway – so you can track the trends or even have automated fraud detection system enabled and firing alarms on suspicious behavior,
2. Integrated security (OAuth token management, etc.) and ability to manage & block accounts that need to be blocked.
Bottomline of the story is that basically:
* Whether to have APIs is a business & architectural decision,
* Once you decide to have APIs, you need to have an API management solution so you maintain (and actually improve) security.